1. Field of the Invention
The present invention is directed to technology for determining the set of groups that a user is a member of.
2. Description of the Related Art
With the growth of the Internet, the use of networks and other information technologies, Identity Systems have become more popular. In general, an Identity System provides for the creation, removal, editing and other managing of identity information stored in various types of data stores. The identity information pertains to users, groups, organizations and/or things. For each entry in the data store, a set of attributes are stored. For example, the attributes stored for a user may include a name, an address, an employee number, a telephone number, an email address, a user ID and a password. The Identity System can also manage access privileges that govern what an entity can view, create, modify or use in the Identity System. Often, this management of access privileges is based on one or more attributes.
Groups can be very useful for managing access privileges and other items. For example, if five persons at a company have similar job responsibilities, they are likely to need similar access privileges. Rather than configure each person separately, a group can be created and each of the five persons can be added to the group. An administrator then only needs to configure the system for the single group's access privileges, instead of five separate persons. Groups can be used for any subset of access privileges. Groups are also popular for mailing lists.
A user can be a member of a group by explicitly identifying that user as a member. This is referred to as static membership. There are at least two additional means for a user to become a member of a group. First, a rule can be set up that defines who can become a member of the group. A user who is a member of a group based on a rule is referred to as a dynamic member. Additionally, a first group can be a member of a second group, causing all of the members of the first group to be members of the second group. The members of the first group are said to be nested members of the second group, while the first group is said to be a group member of the second group.
One service of an Identity System that can be useful to a user is to provide, on demand or automatically, an identification of the groups that a user is a member of. This identification of groups should report those groups that include the user as a static member, dynamic member or nested member.